Computers

Professional

Instructional

Publishing

Nontechnical

About

Resources

What's New

Get monthly email update!
RJ WEBLOGS
Idiotprogrammer
Asiafirst

OTHER MEDIA
Boingboing.net
Doc Searls
Camworld
Elearning Post
Burningbird
Bottom Line
Open Source Schools

CULTURAL
A&L Daily
Tehelka
Wood s lot
Spark-Online
Allistaire Cooke
From Your Own Correspondent
Metafilter

REFERENCE
Acronym Finder
Linux How-To's
Rute Users Tutorial
Wayback Machine
Amazon Search
Backflip
Techweb

TECHNICAL GROUPS
XML-DOC
CMS-List
TECHWR-L
TRACE/ELO
Austin LUG
Austin STC
XMLAustin

AUSTIN/TEXAS
Geekaustin
Austin Movies
Austin Group Lists
Austin Library
Austin American
AustinXL
Austin Film Society

Tip Jar
warning

Windows Security and Full Disclosure

Articles | Postings | Weblog

By Robert Nagle, Austin, Texas, February 2002
Summary: A Windows Security site alleges that Linux contains more security threats than Windows. Is this true?

A sys admin friend referred me to an article about whether Windows is more secure than Linux.It says:

WINDOWS MORE SECURE THAN LINUX? YEP! Thanks to David Byrne for this tip: For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet. (The company's 2001 statistics are available only through August 2001 for the time being.) According to NTBugTraq, Windows 2000 Server had less than half as many security vulnerabilities as Linux during the reported period. When you break the numbers down by Linux distribution, Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2, and it tied with UNIX-leader Sun Microsystems Solaris 8.0 and 7.0. A look at the previous 5 years--for which the data is more complete--also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux. So once again, folks, you have to ask yourselves: Is Windows really less secure than Linux? Or is this one of those incredible perception issues? For more information and the complete stats, visit the SecurityFocus Web site. I'll check back on this story to see how all of 2001 shapes up.

Here is my response:

I am neither a sys admin nor a security expert. But I have to say I find the conclusion drawn from that webpage and quote to be highly questionable. Here are some responses on slashdot to this alleged claim. Slashdot also had a good list of security problems Microsoft needs to solve during this month of "Fix all security bugs."

Let me concede something. Because Windows is the predominant OS, it naturally will attract more script kiddies and crackers than other OS's. That is only natural. As Linux increases mindshare (which is happening more slowly than anticipated, admittedly), it too will see its fair share of worms, DOS attacks and zombies. But the charts on the web page are meaningless to me. They just list numbers without giving any insight into what type of vulnerabilities are discussed and the relative severity of each one. Linux and Windows are susceptible to different kinds of vulnerabilities. Also, it's easy to disagree about the counting system. What constitutes a single vulnerability and what constitutes two? Here are some other thoughts:

  1. The Gartner group (one of the most respected IT consulting firms) made a recommendation a few months ago that businesses consider changing from MS's IIS Server to Apache Server, (which is available on Windows, but most widely used in linux) simply for security reasons. The amount of the security breaches for Apache is trivial; for IIS Server, considerable.
  2. Email servers. The most popular vehicle for transmitting viruses these days is through email, and Outlook/Exchange viruses have been hitting companies every two or three months. How much system admin time is spent installing patches and virus definition updates? It is true that sendmail (the UNIX/Linux mail servers) had a lot of security breaches a few years ago, but very few recently.
  3. Windows has shown a dangerous tendency to respond slowly to security problems and delay publicizing these problems. This happened most recently when a major security breach was found in MS's passport system. Breaches in that application are ordinary occurences. What was unusual is that Microsoft preferred not to announce it until a solution had been found (a period lasting, I think, for two or three weeks), letting the supposed vulnerability exist without sys admins knowing about it. I've seen reports that Microsoft responds to security bugs more slowly than many open source projects.
  4. Microsoft has not been good over time about default settings. What about the remote plug and play fiasco on Windows XP that happened recently? What about Windows 9x security? What about file and print sharing? What about HTML mail for Outlook users? What about Word macros? What ports are open on a freshly installed Windows machine?
  5. I think the question basically boils down to whether you think open source is good for security or bad. (see a good article about security through obscurity . )There are good arguments for either position. I tend to think that bugs in open source products are found more quickly and patched more quickly (at least with high visibility applications). Microsoft's monopolopizing power offers little incentive for them to provide responses as quickly as needed. If a Linux vulnerability on the order of magnitude of Code Red or passport were posted publicly, some Linux dude working on a kernel or application would have responded very quickly. With Microsoft, you are on the corporation's timetable and priority list. A company like Microsoft has great programmers but only a finite set of eyeballs to look over code before it is released to the public.
  6. (On the other hand, in Microsoft's defense), they provide a unified infrastructure for updating the OS and installing service packs, something that Linux distributions are not famous for. Also, Microsoft has to stand before the code or fear losing market share or being susceptible to lawsuits (although its EULA agreements offer some degree of immunity). For that reason, Microsoft has a financial stake in producing good safe code. Open source projects, on the other hand, can't really be held accountable in court.








Home | Discuss | Contact | Resources | Imaginaryplanet | Mirror












Additional Resources